Redhat.comRH:CVE-2023-50726CVE-2023-50726
6.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
6.3 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
A flaw was found in the Argo CD package. An improper validation bug allows users to sync local manifests on app creation, who have create privileges but not override privileges. All other restrictions, including AppProject restrictions, are still enforced. The only restriction that is not enforced is that the manifests come from some approved git/Helm/OCI source.
Mitigation
To mitigate the risk of branch protection bypass, remove applications and create RBAC access.
References
argo-cd.readthedocs.io/en/latest/operator-manual/rbac
bugzilla.redhat.com/show_bug.cgi?id=2269479
github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978
github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm
nvd.nist.gov/vuln/detail/CVE-2023-50726
www.cve.org/CVERecord?id=CVE-2023-50726
Related
6.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
6.3 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%